Description
Arkei is an infostealer written in C++.
General
Target
Size
Sample
0e2f597d417df3a58dc5883d2da3e2755674976668439e0877d3f735a9b44264
169KB
211119-2jd4daehb9
Score
10/10
MD5
SHA1
SHA256
SHA512
a1ca5ad1cc91be482ed6e88d630c1219
6f700e81e0a752733a4d1db58045c18e77b1731e
0e2f597d417df3a58dc5883d2da3e2755674976668439e0877d3f735a9b44264
21e1697131f97a34be67bc4815abc9e3b73b92c25bcecef89952b37655df55c6b4a78aaec9d12d8fda5e86a5fb49b39c4de8dc41ee6daf90a850d516eb3e521a
Malware Config
Extracted
| Family | smokeloader |
| Version | 2020 |
| C2 |
http://host-file-host6.com/ http://host-host-file8.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/ |
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
Extracted
| Family | redline |
| C2 |
185.159.80.90:38637 |
Extracted
| Family | raccoon |
| Version | 1.8.3-hotfix |
| Botnet | ddf183af4241e3172885cf1b2c4c1fb4ee03d05a |
| Attributes |
url4cnc http://91.219.236.27/capibar http://5.181.156.92/capibar http://91.219.236.207/capibar http://185.225.19.18/capibar http://91.219.237.227/capibar https://t.me/capibar |
| rc4.plain |
|
| rc4.plain |
|
Extracted
| Family | arkei |
| Botnet | Default |
| C2 |
http://file-file-host4.com/tratata.php |
Extracted
| Family | raccoon |
| Version | 1.8.3-hotfix |
| Botnet | 59885c564847bf29ddd9457b81c619998245ba90 |
| Attributes |
url4cnc http://91.219.236.27/opussenseus1 http://5.181.156.92/opussenseus1 http://91.219.236.207/opussenseus1 http://185.225.19.18/opussenseus1 http://91.219.237.227/opussenseus1 https://t.me/opussenseus1 |
| rc4.plain |
|
| rc4.plain |
|
Extracted
| Family | redline |
| Botnet | easymoneydontshiny |
| C2 |
45.153.186.153:56675 |
Extracted
| Family | vidar |
| Version | 48.6 |
| Botnet | 706 |
| C2 |
https://mastodon.online/@valhalla https://koyu.space/@valhalla |
| Attributes |
profile_id 706 |
Extracted
| Family | redline |
| Botnet | Alex |
| C2 |
178.238.8.72:49214 |
Extracted
| Family | redline |
| Botnet | bot_tg |
| C2 |
188.119.113.20:27724 |
Targets
Target
MD5
Filesize
0e2f597d417df3a58dc5883d2da3e2755674976668439e0877d3f735a9b44264
a1ca5ad1cc91be482ed6e88d630c1219
169KB
Score
10/10
SHA1
SHA256
SHA512
6f700e81e0a752733a4d1db58045c18e77b1731e
0e2f597d417df3a58dc5883d2da3e2755674976668439e0877d3f735a9b44264
21e1697131f97a34be67bc4815abc9e3b73b92c25bcecef89952b37655df55c6b4a78aaec9d12d8fda5e86a5fb49b39c4de8dc41ee6daf90a850d516eb3e521a
Tags
Signatures
-
Arkei
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
Arkei Stealer Payload
Tags
-
Vidar Stealer
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses Microsoft Outlook profiles
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks
static1
Score
N/A
behavioral1
Score
10/10